CVE-2025-53889

MEDIUM

Directus <11.9.0 - Privilege Escalation

Title source: llm

Description

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to the Flow executing potential tasks on the attacker's behalf without authenticating. Bad actors could execute the manual trigger Flows without authentication, or access rights to the said collection(s) or item(s). Users with manual trigger Flows configured are impacted as these endpoints do not currently validate if the user has read access to `directus_flows` or to the relevant collection/items. The manual trigger Flows should have tighter security requirements as compared to webhook Flows where users are expected to perform do their own checks. Version 11.9.0 fixes the issue. As a workaround, implement permission checks for read access to Flows and read access to relevant collection/items.

References (3)

Core 3

Core References

Third Party Advisory x_refsource_confirm

https://github.com/directus/directus/security/advisories/GHSA-7cvf-pxgp-42fc

Patch x_refsource_misc

https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb

View Patch ZIP pw:eip

Release Notes x_refsource_misc

https://github.com/directus/directus/releases/tag/v11.9.0

Scores

CVSS v3 6.5

EPSS 0.0008

EPSS Percentile 23.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-287

Status published

Products (2)

monospace/directus 9.12.0 - 11.9.0

npm/directus 0 - 11.9.0npm

Published Jul 15, 2025

Tracked Since Feb 18, 2026